From 20c31a5d10d521158f41b6821a93576a17fe60bc Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 13 Feb 2023 13:32:24 -0800 Subject: [PATCH] [threat-actors] Add TA577 --- clusters/threat-actor.json | 79 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 76 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 548d54b..347d6cd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10038,10 +10038,15 @@ { "description": "One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.", "meta": { + "country": "RU", "references": [ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/", - "https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728" + "https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" + ], + "synonyms": [ + "DEV-0450" ] }, "related": [ @@ -10068,8 +10073,9 @@ "references": [ "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware", - "https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/" - ], + "https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware" + ] }, "related": [ { @@ -10116,6 +10122,73 @@ } ], "value": "TA575" + }, + { + "description": "TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.", + "meta": { + "country": "RU", + "references": [ + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html", + "https://www.itpro.com/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network", + "https://exchange.xforce.ibmcloud.com/threat-group/guid:1dda890fa2662ed26b451c703e922315" + ], + "synonyms": [ + "Hive0118" + ] + }, + "related": [ + { + "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cd0ad49d-7f79-45e0-91ba-c5eecdabe3aa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "value": "TA577" } ], "version": 258